OWASP Seattle

funds to OWASP earmarked for Seattle. Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Next Event 11 August (Wednesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 8/11/2010 @ 6:30ish

Presentations:

How OWASP Works and Guided Tour of OWASP Projects

Speaker: Dinis Cruz

This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)

Using the O2 Platform to Consume OWASP projects

Speaker: Dinis Cruz

This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM

The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.

For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.

Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.

Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences

At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board

Previous Event 28 April (Wednesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 4/28/2010 @ 6:30ish

Presentations:

How OWASP Works and Guided Tour of OWASP Projects

Speaker: Dinis Cruz

This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)

Using the O2 Platform to Consume OWASP projects

Speaker: Dinis Cruz

This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM

The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.

For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.

Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.

Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences

At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board

Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies.

Hidetake Jo is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.

An expanded white list that supports more languages

Performance improvements

Performance data sheets (in the online help)

Support for Shift_JIS encoding for mobile browsers

Security Runtime Engine (SRE) HTTP module

A sample application

In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.

Anil Kumar Revuru currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.

Speaker: Andre Gironda

Using ASVS with the Code Review Guide, Testing Guide, and Time Management

The OWASP Application Security Verification Standards, which defines
four levels of web application security verification, lays down a
framework for security architecture review. While the ASVS includes
many requirements for controls, it does not suggest which tools,
techniques, timeline or methodologies to utilize. The OWASP Code
Review and Testing Guides provide the technical practices and suggest
or hint at tools, but also lack the timeline and methodology necessary
to complete an application penetration-test or SDLC integration
project for proper application security hygiene.

This presentation will provide the 1000 foot view all the way down to
the nitty gritty details of how to perform ASVS activities using OWASP
resources, as well as some OWASP and non-OWASP tools (freeware or
demoware). Example timelines for typical ASVS activities, including
reports, will be discussed so that any sort of application security
project can be scoped properly, delivered on-time, and within budget.

Andre Gironda is an application security specialist with a global
security consulting firm providing IT security services to the Fortune
500 and financial institutions as well as U.S. and foreign
governments. Prior to his current employment, Andre held a number of
payment application security positions in addition to working for the
largest online auction website. He is currently a leader for the Open
Web Application Security Project (OWASP), where he co-produces the
global OWASP News Podcast.

Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.

Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.

Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives.

In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.

Speaker: Ashok Misra

Application Issues with encryption of PANs

There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.

Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.

He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.

Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.

Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.

Previous Event 23 October (Thursday)

Location: 810 Third Avenue

Seattle, WA 98104

Conference room on the first floor

Date: 10/23/2008

Time: 6:30PM

Speakers:

Speaker: Michael Eddington

Fuzzjacking!

Fuzzing is one of the hot new buzzwords in the security industry and
if your clients had not already ask for it they will. This talk will
introduce the subject, talk about different types of fuzzers,
integration into SDL, when to fuzz and also talk a bit about the Peach
Fuzzing Platform. Questions and interaction requested :)

Michael Eddington is a founding principal of Leviathan Security Group with over ten years
experience in computer security, with expertise in application and
network security, through threat modeling. Michael founded the
security services practice for IOActive and co-founded the Security
Services Center for Hewlett-Packard's services division. Michael is
also an accomplished software developer, having participated in a
number of open-source security development projects ranging from the
Trike threat modeling conceptual framework to the Peach Fuzzer
Platform.

Speaker: Chris Weber

Exploiting Unicode-enabled Software

This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.

Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products

Show how to retrofit an existing executable to perform dynamic taint propagation.

Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.

Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.

The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.

Taylor McKinley, Product Manager, Fortify Software

Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.

Speaker: Scott Stender

Concurrency Attacks in Web Applications

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.

Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.

Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.

This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.

Previous Event 4 March (Tuesday)

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 03/04/2008

Time: 6:30PM

Speakers:

Speaker: Billy Rios

Bad Sushi - Beating Phishers at Their Own Game

This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.

Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.

This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.

This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Speaker: Jon McClintock

Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.

Jon McClintock is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.

Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.

Presentation Title: Emerging threats in Web 2.0

Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).

Chris Clark, iSEC Partners

Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.

Presentation Title: Ruby on Rails Security

Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.

11/29/2007 @ 6:30PM PST - Seattle chapter meeting

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 11/29/2007

Time: 6PM

Speakers:

Tom Gallagher has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".

Presentation Title: Hunting security bugs in your code

Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.

David E Stevens III, Senior ROI Analyst, Symplified Inc.

In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.

Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"

In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!

Rob Rachwald - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.

Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?

Damon Cortesi - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.

Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.

Update: - Rob's slides can be downloaded from here.
Update #2: - Damon's slides can be found here.

Dinis Cruz (Chief OWASP Evangelist) - Directly from London, Dinis will be doing two presentations at this event:

Buffer Overflows on .Net and Asp.Net - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).

OWASP, the Open Web Application Security Project - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.

0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.

XML Digital Signature and Encryption: Use and Abuse - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.